The primary requirement for Horizon is to support native Horizon clients and the HTML Access Horizon client with protocol handling for the client XML control protocol, the Horizon HTTPS secure tunnel and the Blast/HTTPS WebSockets protocol.

Client XML, Tunnel and Blast TCP Protocols on TCP Port 443

The primary requirement for Horizon is to support native Horizon clients and the HTML Access Horizon client with protocol handling for the client XML control protocol, the Horizon HTTPS secure tunnel and the Blast/HTTPS WebSockets protocol.

All of these protocols can be supported using HTTPS TCP port 443 and so there is no requirement to allow other ports through the outer FireWall 1 or through the firewall between the DMZ zones FireWall 2 as shown in Figure 3-1.

To support this minimum set of Horizon protocols with TLS termination and URL filtering, UAG 1 should be set up as a Web Reverse Proxy by enabling a Reverse Proxy Edge Service with the following Proxy Pattern
(/broker/xml(.*)|/xmlapi(.*)|/broker/resources/(.*)|/ice/(.*)|/r/(.*)|/portal(.*)|/view-client/(.*)|/)

This restricts web traffic as it limits the range of allowed URLs to those conforming to the configured proxy pattern.

OPSWAT is the endpoint compliance check provider supported on Unified Access Gateway. OPSWAT MetaAccess on-demand agent is an OPSWAT client. If OPSWAT MetaAccess on-demand agent is configured in UAG 2 and UAG 1 receives a request from Horizon Client for downloading the on-demand agent, then UAG 1 must allow such a request to reach UAG 2. To support this scenario, UAG 1 must be running versions of Unified Access Gateway 3.10 or newer and set up with the following Proxy Pattern, which includes /gateway/resources/(.*):
(/broker/xml(.*)|/xmlapi(.*)|/broker/resources/(.*)|/ice/(.*)|/r/(.*)|/portal(.*)|/|/gateway/resources/(.*))

For information about OPSWAT MetaAccess on-demand agent, see Deploying and Configuring VMware Unified Access Gateway, versions 3.9 and later.

To configure this automatically at deploy time with PowerShell, add the following example section to the UAG.INI file:

[WebReverseProxy1]
instanceId=Horizon-WRP
proxyDestinationUrl=https://192.168.2.101
proxyDestinationUrlThumbprints=sha1=c5 51 2f a8 1e ef a9
f8 ed fa 1b 80 05 a9 c8 bc 6e 2c 64 b1
proxyPattern=(/broker/xml(.*)|/xmlapi(.*)|/broker/resources/(.*)|/ice/(.*)|/r/(.*)|/portal(.*)|/)

If using the Unified Access Gateway Admin UI, add a Reverse Proxy Edge Service with the following settings.

Figure 1. Unified Access Gateway Admin UI Settings for Web Reverse Proxy


Other ports described in the remainder of this section are optional depending on requirements for these additional protocols.